Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation

Sumit GulwaniMicrosoft Research, Redmond

Final Goal of the class

Automatically verify partial correctness of programs like the following using abstract interpretation.

Void Init(int* A, int n) { for (i := 0; i<n; i++;) A[i] := 0; for (j := 0; j<n; j++;) Assert(A[j] = 0);}

Outline

Decision Procedures– Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns

• Logical Abstract Interpretation– Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns– Universally Quantified Formulas

• Hardness of Assertion Checking– Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns

Decision Procedures

DPT() = Yes, if is satisfiable

= No, if is unsatisfiable

Without loss of generality, we can assume that is a conjunction of atomic facts.

• Why?– DP(1Ç2) is sat iff DP(1) is sat or DP(2) is sat

• What is the trade-off?– Converting into DNF may incur exponential

blow-up

Outline

• Decision Procedures Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns



Linear Arithmetic

Expressions e := y | c | e1 § e2 | c £ eAtomic facts g := e¸0 | e0

Note that e=0 can be represented as e¸0 Æ e·0 e>0 can be represented as e-1¸0 (over integer LA)

• The decision problem for integer LA is NP-hard. • The decision problem for rational LA is PTime.

– PTime algorithms are complicated to implement. Popular choice is an exponential algorithm called “Simplex”

– We will study a PTime algorithm for a special case.

Difference Constraints

• A special case of Linear Arithmetic• Constraints of the form x·c and x-y·c

– We can represent x·c by x-u·c, where u is a special zero variable. Wlog, we will assume henceforth that we only have constraints x-y·c

• Reasoning required: x-y·c1 Æ y-z·c2 ) x-z·c1+c2

• O(n3) (saturation-based) decision procedure– Represent contraints by a matrix Mn£n

• where M[i][j] = c represents xi–xj· c

– Perform transitive closure of M• M[i][j] = min { M[i][j], M[i][k]+M[k][j] }

– is unsat iff 9i: M[i][i] < 0

Outline

• Decision Procedures– Linear Arithmetic Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns



Uninterpreted Functions

Expressions e := x | F(e1,e2)

Atomic fact g := e1=e2 | e1e2

Axiom 8e1,e2,e1’,e2’: e1=e1’ Æ e2=e2’ ) F(e1,e2)=F(e1’,e2’)

(called congruence axiom)

(saturation-based) Decision Procedure

• Represent equalities e1=e2 2 G in Equivalence DAG (EDAG)– Nodes of an EDAG represent congruence classes of

expressions that are known to be equal.

• Saturate equalities in the EDAG by following rule:– If C(e1)=C(e1’) Æ C(e2)=C(e2’), Merge C(F(e1,e2)), C(F(e1’,e2’))

where C(e) denotes congruence class of expression e

• Declare unsatisfiability iff 9 e1e2 in G s.t. C(e1) = C(e2)

Uninterpreted Functions: Example

y

F

F

F

F

Fy=F3(y)

F(y)=F4(y)

F2(y)=F5(y)

y=F2(y)

y=F5(y)

yF(y)

F(y)=F3(y)

y=F(y)

?: unsat

Æ Æ

Uninterpreted Functions: Complexity

• Complexity of congruence closure : O(n log n), where n is the size of the input formula– In each step, we merge 2 congruence classes.

The total number of steps required is thus n, where n is a bound on the original number of congruence classes.

– The complexity of each step can be O(log n) by using union-find data structure

Outline

• Decision Procedures– Linear Arithmetic– Uninterpreted Functions Combination of Linear Arithmetic and Uninterpreted Fns



Combination of Linear Arithmetic and Uninterpreted Functions

Expressions e := y | c | e1 § e2 | c £ e | F(e1,e2)

Atomic Facts g := e¸0 | e0

Axioms: Combined axioms of linear arithmetic + uninterpreted fns.

Decision Procedure: Nelson-Oppen methodology for combining decision procedures

Combining Decision Procedures

• Nelson-Oppen gave an algorithm in 1979 to combine decision procedures for theories T1 and T2, where:– T1 and T2 have disjoint signatures

• except equality

– T1, T2 are stably infinite

• Complexity is O(2n2£(W1(n)+W2(n)).

• If T1, T2 are convex, complexity is O(n3£(W1(n)+W2(n)).

The theories of linear arithmetic and uninterpreted functions satisfy all of the above criterions.

Convex Theory

A theory is convex if the following holds.

Let G = g1 Æ … Æ gn

If G ) e1=e2 Ç e3=e4, then G ) e1=e2 or G ) e3=e4

Examples of convex theory:- Rational Linear Arithmetic- Uninterpreted Functions

Examples of Non-convex Theory

y=sel(upd(M,a,0),b) ) y=0 Ç y=sel(M,b)But y=sel(upd(M,a,0),b) ) y=0 and y=sel(upd(M,a,0),b) ) y=sel(M,b)

/

/

• Theory of Integer Linear Arithmetic

• Theory of Arrays

2·y·3 ) y=2 Ç y=3But 2·y·3 ) y=2 and 2·y·3 ) y=3/ /

Stably Infinite Theory

• A theory T is stably infinite if for all quantifier-free formulas over T, the following holds:

If is satisfiable, then is satisfiable over an infinite model.

• Examples of stably infinite theories– Linear arithmetic, Uninterpreted Functions

• Examples of non-stably infinite theories– A theory that enforces finite # of distinct elements.

Eg., a theory with the axiom: 8x,y,z (x=y Ç x=z Ç y=z). Consider the quantifier free formula : y1=y2.

is satisfiable but doesn’t have an infinite model.

Nelson-Oppen Methodology

• Purification: Decompose into 1 Æ 2 such that i contains symbols from theory Ti.

– This can be done by introducing dummy variables.

• Exchange variable equalities between 1 and 2 until no more equalities can be deduced.– Sharing of disequalities is not required because of

stably-infiniteness.– Sharing of disjunctions of equalities is not

required because of convexity.

• is unsat iff 1 is unsat or 2 is unsat.

Combining Decision Procedures: Example

a1=2y2-y1

y1·4y3·a2 Æ y

14y

3

y1 = y2

y1 = a2

a2=F(a1)

y1=F(y1) Æ y2=F(F(y1))y1 = a1

y1 · 4y3 · F(2y2-y1) Æ y1=F(y1) Æ y2=F(F(y1)) Æ y14y3

Purification

y1=y

2y1=a

1y1=a

2

?: unsat

Saturation

Outline

• Decision Procedures– Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns

Logical Abstract Interpretation– Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns– Universally Quantified Formulas


Logical Abstract Interpretation

• Abstract Interpretation of a program involves interpreting the program over abstract values from some abstract domain D equipped with a partial order ¹

• Logical Abstract Interpretation refers to the case when – D = logical formulas over theory T

– ¹ = logical implication relationship, i.e., E ¹ E’ iff E )T E’

• We will study following examples of logical interpretation– D consists of finite conjunctions of atomic facts over T.

• Linear Arithmetic• Uninterpreted Functions• Combination of Linear Arithmetic and Uninterpreted Functions

– D consists of universally quantified formulas over T.

Transfer Functions for Logical Abstract Interpreter

G =Join(G1,G2) = dG1 Ç G2e

G2G1

Join Node

G2 = G’Æ:g

gTrue False

G’

G1 = G’Æg

Conditional Node

G =Postcondition(y := e, G’) =d 9y’: G’[y’/y] Æ y=e[y’/y] e

y := e

G’

Assignment Node

• An abstract interpreter computes abstract values or facts at each program point from facts at preceding program points using appropriate transfer fns.

• Transfer functions for a logical abstract interpreter thus involve providing operators for over-approximating disjunction and existential quantifier elimination.

Fixed-point Computation

• In presence of loops, fixed-point computation is required. The process is accelerated by using a widening operator, which takes the facts in the current and previous iteration (at some point inside a loop) and generates something weaker than the current fact.– A widening operator should guarantee convergence

in a bounded number of steps. – Widening is typically applied at loop header points.

• Facts generated after fixed-point are invariants and can be used to validate assertions using decision procedures.

assert(g)

G’

Validate iff G’Æ: g is unsat

Initialization

• The fact at program entry is initialized to >, which in our setting is the logical formula “true”.– This denotes that we make no assumptions

about inputs, and whatever we prove will be valid for all inputs.

• The facts at all other program points are initialized to ?, which in our setting is the logical formula “false”.– This denotes our optimistic assumption of

unreachability of program locations (unless we can prove them reachable in the process of fixed-point computation).

Outline


• Logical Abstract Interpretation Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns– Universally Quantified Formulas



• Abstract element: – conjunction of xi-xj · cij

– can be represented using matrix M, where M[i][j]=cij

• Decide(M):1. M’ := Saturate(M)2. Declare unsat iff 9i: M’[i][i] < 0

• Join(M1, M2): 1. M’1 := Saturate(M1); M’2 := Saturate(M2);

2. Let M3 be s.t. M3[i][j] = Max { M’1[i][j], M’2[i][j] }

3. return M3


• Eliminate(M, xi):1. M’ := Saturate(M);2. Let M1 be s.t. M1[j][k] = 1 (if j=i or k=i)

= M’[j][k] otherwise3. return M1

• Widen(M1, M2): 1. M’1 := Saturate(M1); M’2 := Saturate(M2);

2. Let M3 be s.t. M3[i][j] = M1[i][j] (if M1[i][j] = M2[i][j])) = 1 (otherwise)

3. return M3

1·y<51 Æ z=y+2

Difference Constraints: Example

y < 50

y := 0; z := 2;

y++; z++;

y=0, z=2

y=1 Æ z=3

?

?

?

?

true

y=0 Æ z=2

y=0 Æ z=2

0·y·1 Æ z=y+2

0·y·1 Æ z=y+2

1·y·2 Æ z=y+2

0·y·2 Æ z=y+20·y Æ z=y+2

0·y<50 Æ z=y+2

0·y<51 Æ z=y+2

y=50 Æ z=y+2

FalseTrue

Assert (z=52)

Outline


• Logical Abstract Interpretation– Linear Arithmetic Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns– Universally Quantified Formulas



• Abstract element: – conjunction of e1=e2, where e := y | F(e1,e2)– can be represented using EDAGs

• Decide(G): 1. G’ := Saturate(G);2. Declare unsat iff G contains e1 e2 and G’ has e1,

e2 in the same congruence class.

• Eliminate(G, y): 1. G’ := Saturate(G);2. Erase y; (might need to delete some dangling

expressions)3. return G’


• Join(G1, G2):

1. G’1 := Saturate(G1); G’2 := Saturate(G2);

2. G := Intersect(G’1, G’2);

3. return G;

For each node n = <U, {ni,n’i}> in G ’1

and node m = <V, {mj, m’j}> in G2’,

G contains a node [n,m] = <U Å V, {[ni, mj], [n’i,m’j]}>

Uninterpreted Functions: Example of Join

G1 G2

F

y2, F

y1, F

y3,y4 y5

F

y6 y7

F

y2, F

y1, F

y4,y5

F

y6,y7 y3

G = Join(G1,G2)

F

y2, F

y1, F

y4,y5

F

y6 y3 y7

Outline


• Logical Abstract Interpretation– Linear Arithmetic– Uninterpreted Functions Combination of Linear Arithmetic and Uninterpreted Fns– Universally Quantified Formulas


Combination: Decision Procedure

• DP(E12):

1. <E1, E2> := Purify&Saturate(E12);

2. Return DPT1(E1) Æ DPT2

(E2);

Combination: Join Algorithm

• JoinT12(L12, R12):

1. <L1, L2> := Purify&Saturate(L12); <R1, R2> := Purify&Saturate(R12);

2. DL := Æ {vi=<vi,vj> | vi2Vars(L1ÆL2), vj2Vars(R1ÆR2) };

DR := Æ {vj=<vi,vj> | vi2Vars(L1ÆL2), vj2Vars(R1ÆR2) };

3. L’1 := L1 Æ DL; R’1 := R1 Æ DR;L’2 := L2 Æ DL; R’2 := R2 Æ DR;

4. A1 := JoinT1(L’1, R’1);

A2 := JoinT2(L’2, R’2);

5. V := Vars(A1ÆA2) – Program Variables; A12 := EliminateT12

(A1ÆA2, V);

6. Return A12;

y=F(a)a=ha,bi

z=a-1a=ha,bi

y=F(b)b=ha,bi

z=b-1b=ha,bi

z=a-1 Æ y=F(a)

z=b-1 Æ y=F(b)

ha,bi=1+z

y=F(ha,bi)

JoinlaJoinuf

Eliminateuf+la

y=F(1+z)

{ ha,bi }

Joinuf+l

a

Combination: Example of Join Algorithm

Combination: Existential Quantifier Elimination

• ElimintateT12(E12, V):

1. <E1, E2> := Purify&Saturate(E12);

2. <D, Defs> := DefSaturate(E1, E2, V [ Temp Variables);

3. V’ := V [ Temp Variables – D;E’1 := EliminateT1

(E1, V’);

E’2 := EliminateT2(E2, V’);

4. E := (E’1 Æ E’2) [Defs(y)/y];

5. Return E;

DefSaturate(E1, E2, U) returns the set of all variables D that have definitions Defs in terms of variables not in U as implied by E1 Æ E2.

a=F2(b) Æ c=F(b)

a·b·y Æ z=c+1

a·b·y Æ z=c+1 Æ a=F2(b) Æ c=F(b)

{ a, b, c }

{ b }

a · y Æ z=c+1

Eliminateu

f

Substitute

F(z-1) · y

c z-1 a F(z-1)

Eliminateuf

+la

Combination: Example of Existential Elimination

c z-1a F(z-1)

Defla Defuf

Eliminatel

a

a = F(c)

1·i,

N(x)=N(y)+i

struct List { struct List* next;} x, y;

N(z) = 0, if z = null = 1 + N(z!next)

Abstract Interpretation over Combined Domain: Example

ynull

y := x; i := 0;

i := i+1;y := y!next;

y=x, i=0

y=x!next, i=1, xnull

N(x)=N(x!next)+1

?

?

?

?

true

y=x, i=0

y=x, i=0, ynull

0·i·1

N(x)=N(y)+i

0·i·1, y null

N(x)=N(y)+i

1·i·2,

N(x)=N(y)+i

0·i·2,

N(x)=N(y)+i

0·i,

N(x)=N(y)+i

0·i, y null

N(x)=N(y)+i

Outline


• Logical Abstract Interpretation– Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns Universally Quantified Formulas


Universally Quantified Abstract Domain

• Abstract element is of the form E Æ Æi(8X: Ai)Bi)

– where E, Ai, Bi are from some underlying base domain(s) D.

• The partial order ¹ is a refinement of the more natural implication relationship.

E Æ Æi(8X: Ai)Bi) ¹ E’ Æ Æj(8X: A’j)B’j) iff

– E ) E’

– 8j 9i s.t. EÆA’j)Ai and EÆBi)B’j

• Another way to state the above thing would be to say that the partial order is still the implication relationship but transfer functions are incomplete.

Quantified Abstract Domain: Join Algorithm

• Consider a simpler case first. Let (E Æ 8X:A)B) = Join(E1 Æ 8X:A1)B1, E2 Æ 8X:A2)B2). Then,

– (E1 Æ 8X:A1)B1) ¹ (E Æ 8X:A)B)– (E2 Æ 8X:A2)B2) ¹ (E Æ 8X:A)B)Or, equivalently,– E1)E and E2)E. Thus, E = Join(E1, E2).– E1ÆA)A1 and E2ÆA)A2, i.e., A ) (E1)A1 Æ E2)A2). Thus,

A = bE1)A1 Æ E2)A2c.– E1ÆB1 ) B and E2ÆB2 ) B. Thus, B = Join(E1ÆB1, E2ÆB2).

• Join(E1 Æ Æi(8X: A1i)B1

i), E2Æ Æi(8X: A2i)B2

i)):

1. result := JoinD(E1, E2);2. Forall i,j: 3. A := bE1)A1

i Æ E2)A2jc; B := JoinD(E1ÆB1

i, E2ÆB2j);

4. result := result Æ 8X:A)B5. return result;

Quantified Abstract Domain: Example of Join

Let G1 = (i=0 Æ 8k: k=0 ) F[k]=i)

G2 = (i=1 Æ 8k: 0·k·1 ) F[k]=0)

Then Join(G1, G2) = 0·i·1 Æ 8k: A)B, where

A = b(i=0)k=0) Æ (i=1)0·k·1)c = 0·k·i B = JoinD(i=0 Æ F[k]=i, i=1 Æ F[k]=0) = F[k]=0

Quantified Abstract Domain: Eliminate

Let (E’ Æ 8X:A’)B’) = Eliminate(E Æ 8X:A)B, s). Then,

(E Æ 8X:A)B) ¹ (E’ Æ 8X:A’)B’) among other things.

For simplicity, assume that s doesn’t affect terms in A,B involving X. Then, – E)E’ and E’ doesn’t contain any term affected by change to

s. • Thus, E’ = EliminateD(E,s).

– EÆA’)A and A doesn’t contain any term affected by change to s. • Thus, A’ = b8s:E)Ac.

– EÆB)B’ and B’ doesn’t contain any term affected by change to s. • Thus, B’ = EliminateD(EÆB, s).

Quantified Abstract Domain: Eliminate

• Eliminate(G, s):1. Let G be E Æ 8X:A)B

– Psuedo-code can be easily extended for multiple 8

2. T := { e | e occurs in A or B; Vars(e) Å X ; }

3. A := A Æ Æe2T NotEffect(<s,G>, e);

4. E’ := EliminateD(E,s);

5. B’ := EliminateD(BÆE,s);

6. A’ := b8s:E)Ac ;

7. return (E’ Æ 8X: A’)B’)

• NotEffect(<s,G>, e) denotes a constraint g s.t. GÆg implies that s does not affect e.

Quantified Abstract Domain: Example of Eliminate

Let G = (F[0]>10 Æ 8k: 0·k<F[0] ) F[k]>F[0] )Then Eliminate(G, F[0]) = true Æ 8k: A’)B’, where T = { k, F[k] } NotEffect(<F[0],G>, F[k]) = k0 NotEffect(<F[0],G>, F[k]) = true A1 = 0·k<F[0] Æ k 0 Æ true = 1·k<F[0]

A’ = b8F[0]: F[0]>10 ) 1·k<F[0]c = 1·k<10

B’ = Eliminate(F[k]>F[0] Æ F[0]>10, F[0]) = F[k]<10

2·i·n Æ 8k: 0·k<i ) F[k]=0

Quantified Abstract Domain : Example

i < n

F[0] := 0; i := 1;

F[i] := 0; i++;

i=1 Æ F[0]=0

i=2 Æ F[0]=0 Æ F[1]=0

?

?

?

?

true

i=1 Æ F[0]=0

i=1 Æ F[0]=0

1·i·2 Æ 8k: 0·k<i ) F[k]=0

1·i·2 Æ 8k: 0·k<i ) F[k]=0

2·i·3 Æ 8k: 0·k<i ) F[k]=0 1·i·3 Æ 8k: 0·k<i ) F[k]=01·i Æ 8k: 0·k<i ) F[k]=0

1·i<n Æ 8k: 0·k<i ) F[k]=0

1·i Æ 8k: 0·k<i ) F[k]=0

i¸n Æ 8k: 0·k<i ) F[k]=0FalseTrue

i := 0;

i=2 Æ 8k:0·k·1 ) F[k]=0

i=1 Æ 8k:k=0 ) F[k]=0

i=0 Æ 8k: 0·k<n ) F[k]=0

References

• Uninterpreted Functions– “A polynomial time algorithm for global value numbering”

SAS 2004, S. Gulwani, G. Necula– “Join algorithms for the theory of uninterpreted fns”

FSTTCS 2004, S. Gulwani, A. Tiwari, G. Necula

• Combination of Linear Arithmetic and Uninterpreted Fns– “Combining Abstract Interpreters” PLDI 2006, S. Gulwani, A. Tiwari

• Universally Quantified Abstract Domain– “Lifting Abstract Interpreters to Quantified Logical

Domains” POPL 2008, S. Gulwani, B. McCloskey, A. Tiwari

Outline



Hardness of Assertion Checking– Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns

Abstract Program Model / Problem Statement

Linear Arithmetic e := y | c | e1 § e2 | c e g := e¸0

Uninterpreted Functions e := y | F(e1,e2) g := e1=e2

Combination e := y | c | e1 § e2 | c e | F(e1,e2) g := e¸0

Assignment

y := e

Conditional

gTrue False

Non-deterministic Assignment

y := ?

Assertion

Assert(g)

Outline



• Hardness of Assertion Checking Linear Arithmetic– Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns

Assertion Checking: Linear Arithmetic

• Non-deterministic Conditionals– Equality Assertions: PTIME

• Perform abstract interpretation over linear equalities.• “Affine relationships among variables of a program”, Karr

76

– Inequality assertions: ?

• Deterministic Conditionals: Undecidable– Even with equality conditionals and equality assertions– PCP Problem can be reduced to it.– “A Note on Karr’s Algorithm”, H. Seidl, M. Muller-Olm,

ICALP 2004

Reducing PCP Problem to Assertion Checking

• The following problem (PCP Problem) is undecidable. Given pairs: (u1,v1), …, (um,vm), where ui, vi 2 {0,1}*

Decide: 9 a non-empty sequence i1, …, in such that

ui1 … uin

= vi1 … vin

• Given a PCP instance, we will construct an assertion checking problem over linear arithmetic such that the assertion holds iff the solution to PCP instance is false.

y=z ?


y := 1; z := 1;

y := 2|u1

| £ y + <u1>;

z := 2|v1

| £ z + <v1>;

FalseTrue

Assert (d=0);

y := 2|um

| £ y + <um>;

z := 2|vm

| £ z + <vm>; *

d := 1;

d := 0;

Outline



• Hardness of Assertion Checking– Linear Arithmetic Uninterpreted Functions– Combination of Linear Arithmetic and Uninterpreted Fns

Assertion Checking: Uninterpreted Functions

• Non-deterministic Conditionals: PTIME– Abstract interpretation over uninterpreted fns.

• Deterministic Conditionals: Undecidable– PCP Problem can be reduced to it.– “Checking Herbrand Equalities and Beyond“,

H. Seidl, M. Muller-Olm, VMCAI 2005

y=z ?


y := 1; z := 1;

y := u1(y);

z := v1(z);

FalseTrue

Assert (d=0);

y := um(y);

z := vm(z); *

d := 1;

d := 0;

Think of ui, vi as sequences of applications of unary fns, one corresponding to 0 and other corresponding to 1.

Outline



• Hardness of Assertion Checking– Linear Arithmetic– Uninterpreted Functions Combination of Linear Arithmetic and Uninterpreted Fns

Assertion Checking: Combination of Linear Arithmetic & Uninterpreted Functions

• Deterministic Conditionals: Undecidable– No surprise since problem is undecidable for individual

cases of linear arithmetic and uninterpreted fns.

• Non-deterministic Conditionals: ? At least coNP-hard– Even for equality conditionals. – A surprising result since assertion checking for

individual cases of linear arithmetic (equalities) and uninterpreted fns is PTIME, but not for combination.

– In contrast, decision procedures for linear arithmetic and uninterpreted fns can be combined in PTIME using Nelson-Oppen methodology.

– “Assertion checking over combination of linear arithmetic and uninterpreted fns”, S. Gulwani, A. Tiwari, ESOP 2006

Reducing Unsatisfiability to Assertion Checking

boolean 3-SAT instance with m clauses

IsUnsatisfiable() {for j=1 to m

cj := 0;for i=1 to k do if (*) 8 j s.t. var i occurs positively in clause j, cj := 1; else

8 j s.t. var i occurs negatively in clause j, cj := 1;y = c1 + c2 + … + cm;Assert (y=0 Ç y=1 … Ç y=m-1);

}

Encoding disjunction

• The check y=1 Ç y=2 can be encoded by the assertion F(y) = F(1)+F(2)-F(3-y)).

• The above trick can be recursively applied to construct an assertion that encodes y=0 Ç y=1 Ç … Ç y=m-1– Eg., y=0 Ç y=1 Ç y=2 can be encoded by encoding F(y)=F(0) Ç F(y)=F(1)+F(2)-F(3-y)

Conclusion

• We showed how logical reasoning traditionally used in theorem proving can be exploited in an abstract interpretation setting.– We focused on conjunctive and universally quantified

invariants over the domain of linear arithmetic and uninterpreted fns.

• There are several other interesting issues in program analysis that we did not address:– Destructive updates

• Points-to analysis, Shape analysis– Path-sensitive analysis

• Disjunctive invariants– Inter-procedural analysis

• Procedure summaries

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Documents

equalities e

c e fe

example y f f f f f

c e atomic facts g

theories of linear arithmetic

uninterpreted fns slide

constraints xy c reasoning

theory t